I have a working SMTP gateway server / Exchange 2003 server / Windows 2003 Active Directory setup with about 50 users - this has been running fine for a year or so.

I'm learning Exchange as I go - having moved from 5.5 to 2003 successfully, I'm not a newbie, but I'm by no means an expert either!

I have installed another Exchange 2003 server (regular vanilla install) and set it to "Front end mode" with the check box after the install was complete. This will eventually be our OWA & gateway email server in the DMZ, but for now I have it inside and in the same subnet, etc as all the other servers & workstations (so there are no firewalls between machines).

I have setup & secured OWA with an SSL certificate and have enabled forms-based authentication.

Now for the problems...

1) I am able to connect to the OWA logon page but it will not allow me to sign on - it returns me to the logon page with just the username filled in. It displays no error message, just returns to the logon page as many times as you are willing to enter a password and click "Logon". What is strange is that it also sets a frame up on the left side of the webpage and opens all subsequent logon screens in the right 2/3 of the screen.

So... I figured I'd back up a step and try to connect directly to the front end server with an Outlook client (happens to be Outlook 2000). This results in problem #2...

2) When I create a new MS Exchange connection in Outlook that points to the Front End server (either by name or by IP address) I get the following error when I start Outlook. "Name could not be resolved. Network problems are preventing connection to the exchange server..." The front end server IS on the network & live though!

The account I'm logging on with is valid & usable on the back end server from all workstations (including the one I tested the front end server connection with).

One thing I do notice is that, unlike my existing gateway email server, there is no "Default SMTP Virtual Server" shown under IIS in Computer Management. There is only the "Default SMTP Virtual Server" that shows up in Exchange System Management (similar to the existing backend server).

Also, in Exchange System Manager (running on the front end server) I can see both the front end AND back end servers so it appears that the front end server installed into active directory ok...

I'm just not sure where to go with this! - it seems that the front end server isn't integrating with the back end server with regards to authentication in OWA... - but if Outlook can't connect, is there a bigger problem that's causing the OWA problem??? - do I need to uninstall this server & start over? If so, how do I cleanly remove it from A/D???

i think its much more than the permission on IIS - Can you check if you have DSAccess errors on your FE Server - Verify you are able to communicate from FE Exchange to AD Servers using tools like dcdiag / netdiag / netmon.

Also, check if you do not have multiple NICs on your FE Server (Incase, you have please check the network binding order).

Try the most famous solution once - Reboot your both Exchange Server and DC / GC.

Also, which server is configured as your DNS Server - is that your preferred DNS on your NICs.

Why do you want to put the server in the DMZ? Do you think it will enhance the security of your network? If you do then you are disillusioned. It will not. Exchange frontend servers are not deployed for security reasons, but for load. They are primarily used when you have more than one backend server. If you have 50 users I would struggle to justify a frontend server.

If you want to put something in the DMZ then you should be deploying ISA server. That is designed to be put in to the DMZ.

There are two prime reasons why a frontend server will not work. 1. The frontend server hasn't been kept at the same patch level as the backend server. You need to ensure that it is the same or higher. Therefore if the backend is Exchange 2003 SP2 then the frontend needs to be. The patch level (hotfixes) needs to be the same as well.

2. The other problem can be the authentication settings are wrong on the backend server so the proxy functionality doesn't work. If you have require SSL enabled on the backend server that can stop it from working.

Thanks for the suggestions - I'll look into this & post back with results...

Right now the server is not in the DMZ - I had planned to do that so I could block all inbound port 80, 21, etc traffic to the internal network and limit it to the DMZ. I already have the server working and on the network - SourceAnywhere is loaded and working... I need to get OWA working again on Exchange 2003 but didn't want to open the main email server to the "outside world" - that's why I thought I'd need to load a front-end Exchange server... The problem may well have to do with service pack/hotfixes... I'm not requiring SSL on the backend...

A frontend server does not meet your design requirements. You are still exposing an Exchange server to the internet. Whether it is a frontend or backend server doesn't matter. Exchange servers cannot operate in isolation, which means your frontend server has to communicate fully with all of your domain controllers and with the backend server. Furthermore unless you change the configuration of the server the number of ports that you have to open turn the firewall in to swiss cheese. If your frontend server is compromised thats it - game over. The machine is a member of the domain and the attacker can walk straight to your data.

To meet your design requirements you need to have something that is not a member of the domain. The primary product used is ISA server.

Personally I have no problems with a dedicated Exchange server exposed to the internet. I only open port 443 and 25, nothing else.

Thanks for the advice Sembee - and the explanation! That would certainly simplify things for me.

The next question is - I have Exchange loaded on this 2nd server & set to front-end mode. How difficult is it to remove? Are there any gotcha's that I need to now to avoid trashing anything in A/D when I remove it?